Happy holidays? It won’t be, if you book a room at a bogus hotel!
We’ve all seen the types of scams in the past where you’ll receive suspicious e-mails asking you to confirm a hotel booking that you never made. It seems now, cyber-criminals have taken things a step further and have actually set up web sites waiting for unsuspecting guests to make a booking at a bogus hotel!
Brand Name Borrowing
The bogus hotels are making use of well-known hotel brands to dupe Internet customers, as well as providing online booking forms and telephone numbers. Most brands with an Internet presence will purchase a web site domain name and all its variations to prevent anyone else from using the brand name. However, it would be difficult to purchase every possible variation of a domain name for a particular brand and this is where cyber-criminals are finding their loop-hole.
London-based hotel, Sheraton Skyline, has its authentic legitimate web site at the domain: www.sheratonskyline.com. The bogus hotel, set up by criminals, has a web site at the domain: www.sheraton-skylinehotel.com. Would you have thought anything suspicious?
UK Number Redirection
As with most hotel web sites, the fake hotels are listing telephone numbers as an alternative means of contact. It’s not uncommon for a hotel web site to list its telephone number with the country code.
Where a telephone number is listed beginning with +4470, the +44 would indicate the number is a UK-based telephone number. However, the 70 prefix is the UK global redirection service, meaning the telephone call will be redirected to any other country, except within the UK.
The fraud doesn’t only target would-be paying customers but also those looking for work in the hospitality sector. The bogus web sites can appear to be offering promising careers and exciting opportunities working abroad. According to HotforSecurity, quite often in the case of job scams, criminals recruit victims for money-laundering purposes.
Phishing and Fraud
Unlike phishing, this type of scam is more difficult to spot because of how genuine the web site’s domain name appears. Phishing, is where a web page attempts to trick users into believing they are on another web site by mimicking its appearance. In this particular scam, the web sites are completely different but the fraud has been created from scratch. In addition, users aren’t being targeted via e-mail spam but are genuinely landing on the web sites from innocent searches, believing they have found the authentic web site of the company.
How to Tell
This is a difficult scam to spot. Unlike typical scams, the domain name can appear legitimate and a lot of people won’t notice the redirection prefix in the telephone number. As it’s not a phishing scam, your browser won’t necessarily alert you to anything suspicious.
Some antivirus and Internet security software have been updated to identify web sites that are known to be fraudulent. You can make sure that your antivirus software is kept up-to-date with the latest definitions installed.
In addition, you can try the following to determine whether the hotel web site is genuine:
- perform a search for the hotel’s brand name followed by “scam” or “fraud” to see whether any other user has reported the web site as suspicious
- check a business listings directory, such as Yell.com for a company’s legitimate web site address
- you can search the WHOIS database to find out who registered the web site domain name and check that the address is the hotel’s actual address.